1. Field of the Invention
The present invention is in the technical area of devices and methods for authorization of persons to transact digitally with security-enhanced sites, and pertains more specifically to multi-factor authentication.
2. Description of Related Art
The technology area to which the present invention belongs is often termed cybersecurity, and the term is used in this document. A major issue in cybersecurity today is an ability for persons, acting on their own, or representing specific enterprises, to verify their identity in a proposed digital transaction with a high level of surety.
Authentication may be established by using what are termed factors. A simple example is something you know. This is a basis for password authorization. A person may be tasked, when negotiating with a digital entity, to choose a password, which that person will know, and the digital site (such as a bank) will save that password. When a person seeks to transact with the site in future, the site will ask for a name (username) and a password, providing digital fields for entry. If the password entered compares exactly with the saved password for that username, the person may be authorized to transact, such as to review data on the site. If the password is the only piece of information required for authorization, this may be termed single-factor, or one-factor authentication.
It is well-known that single-factor authentication is rather easy to compromise. Typically, a password is weak for a couple of reasons, but foremost is a tendency for people to use weak passwords that can be easily compromised, as well as reusing a same password for several accounts, so that once a password is compromised on one system it may be compromised on multiple systems. Other issues with this type of factor is possible interception of the passwords, resetting of the passwords, the usage of the passwords from anywhere around the world etc. Many enterprises, for these reasons, have moved beyond single-factor authentication, even though it is often complex for both the users and enterprises to verify identity beyond 1 factor.
A second factor that may be added to strengthen security is What You Are. This factor typically may be added as a biometric scan, such as a fingerprint, facial recognition, iris scan and so on. A potential weakness here is that a clear-text password is visible to everyone around you, fingerprints can be lifted from any object you touch, facial recognition can be pulled from, for example, a social media site, and iris recognition can be pulled from a HD camera, like the one on a person's phone when they take a selfie.
A third factor that may be added is What You Have. Typically, this third factor is in the form of a token or a program that creates a token or a one-time password (OTP). While in combination with a What you know factor and very intelligent backend services this can be pretty secure. However, such a third factor requires a lot of administration as well as cost for the token devices. This fact has led to less expensive and less secure options that rely on a key imported into a phone or other personal device that in turn can be compromised to gain this factor.
The present inventor, with these facts in mind, has decided that what is clearly needed is combination of two factors into a single device, to reduce complexity and increase security.